Gloria Cilliers, Editor
Insurers’ cyber breach mitigation strategies may destroy evidence: Toronto Police | Canadian Insurance

Insurers’ cyber breach mitigation strategies may destroy evidence: Toronto Police

Inspector calls for collaborative approach at cyber risk conference in light of Bill S-4

Insurers are “too afraid” to involve police in cyber breaches, delegates heard last week at the International Cyber Risk Management Conference, held in Toronto.

Speaking during a panel titled “The Response Gap”, Shawna Coxon, Inspector, strategy management with the Toronto Police Service, cited reputational damage, loss of control and further business interruption as the reasons for this fear.

“We see many insurers grapple whether to involve external agencies, and which ones to involve,” she said.

Coxon said in almost all of the cyber breach cases her team dealt with, she noted how companies’ mitigation strategies “may, and will in fact, destroy evidence that we may need to figure out who did this to you”. “People are afraid because technically under law, we can take over. But our team is very cognisant of that,” Coxon added. “We do try to do things collaboratively, but that requires trust from both sides.”

Coxon called for a more collaborative approach, especially in the light of the updates to the Digital Privacy Act (Bill S-4), which, when it comes into force at the end of 2017, will require companies to disclose cyber breaches to the Office of the Privacy Commissioner of Canada.

Coxon acknowledged that capacity issues and jurisdictional restrictions can slow the process down, but it doesn’t mean companies shouldn’t have the confidence to involve the police.

“Looking at the bigger picture, a lot of these breaches are occurring from similar factors out there. So the capacity to leverage intelligence is really important from a proactive standpoint. The more we can look at collaboration between different forces, including the private sector, the better in the long term.”

She urged insurers to ensure they have a solid response plan in place for when a cyber breach happens, and to update the plans regularly.

“What we’re seeing frequently, is that even if a company has a plan in place, they’ve never tested it, so there are gaps, for example in employee training. We see many companies scrambling when a breach happens, not knowing what to do next, not even having basic steps in place,” she said.

Instant response playbooks changing: RSA

Insurers will have to go beyond a basic response plan to deal with the sophisticated, fast changing nature of cyber security, said fellow-panellist Peter Tran, Senior Director, Advanced Cyber Defense Practice at RSA Insurance.

“From a risk management perspective, there is a material gap occurring when your IT infrastructures are not aligned to your business outcomes,” he said. “Insurance IT infrastructures have been ageing in the last 10 years, and as such, security measures have been left behind. Whilst IT infrastructures are changing rapidly, monitoring infrastructure is not keeping up. Just looking at it from mobile perspective, for example, in 2015 the number of apps downloaded reached 175 billion. That’s 480 million per day. That’s our new world. The monitoring, detection and response gaps are tremendous.”

The obvious, ‘keep-it-simple security basics’ are going to fall short, he said.

“We’re going to see more disruptive attacks that are much smaller in nature, but over a longer period of time. For example, a cloud-based attack or mobile app platform-based attack is not the same as a breach of a data center,” Tran said. “Instant response playbooks are changing fast. And insurers need to keep up.”